PRACTICA 6.5.1.2.

Packet Tracer: Layer 2 Security

Topologa

Part 1: Configure Root Bridge

Step 1: Determine the current root bridge.
From Central, issue the show spanning-tree command to determine the current root bridge
and to see the ports in use and their status.
Which switch is the current root bridge?
La raz actual es SW-1

Based on the current root bridge, what is the resulting spanning tree? (Draw the spanning-tree
topology.)

This bridge is the root.

Step 2: Assign Central as the primary root bridge.
Using the spanning-tree vlan 1 root primary command, assign Central as the root bridge.

Step 3: Assign SW-1 as a secondary root bridge.

Assign SW-1 as the secondary root bridge using the spanning-tree vlan 1 root
secondary command.

Step 4: Verify the spanning-tree configuration.

Issue the show spanning-tree command to verify that Central is the root bridge.

Which switch is the current root bridge?

Central.
Based on the new root-bridge, what is the resulting spanning tree? (Draw the spanning-tree
topology.)
Central primario SW-1 secundario.

Part 2: Protect Against STP Attacks

Secure the STP parameters to prevent STP manipulation attacks.

Step 1: Enable PortFast on all access ports.

PortFast is configured on access ports that connect to a single workstation or server to enable
them to become active more quickly. On the connected access ports of the SW-A and SW-B,
use the spanning-tree portfastcommand.
Step 2: Enable BPDU guard on all access ports.
BPDU guard is a feature that can help prevent rogue switches and spoofing on access ports.
Enable BPDU guard on SW-A and SW-B access ports.
Note: Spanning-tree BPDU guard can be enabled on each individual port using the spanning-
tree bpduguard enable command in the interface configuration mode or the spanning-tree
portfast bpduguard defaultcommand in the global configuration mode. For grading purposes
in this activity, please use the spanning-tree bpduguard enable command.

Step 3: Enable root guard.

Root guard can be enabled on all ports on a switch that are not root ports. It is best deployed on
ports that connect to other non-root switches. Use the show spanning-tree command to
determine the location of the root port on each switch.
On SW-1, enable root guard on ports Fa0/23 and Fa0/24. On SW-2, enable root guard on ports
Fa0/23 and Fa0/24.
Part 3: Enable Storm Control
Step 1: Enable storm control for broadcasts.
a. Enable storm control for broadcasts on all ports connecting switches (trunk ports).
b. Enable storm control on interfaces connecting Central, SW-1, and SW-2. Set a 50 percent
rising suppression level using the storm-control broadcast command.

Part 4: Configure Port Security and Disable Unused Ports

Step 1: Configure basic port security on all ports connected to host devices.
This procedure should be performed on all access ports on SW-A and SW-B. Set the maximum
number of learned MAC address to 2, allow the MAC address to be learned dynamically, and
set the violation to shutdown.
Note: A switch port must be configured as an access port to enable port security.
Why would you not want to enable port security on ports connected to other switches or routers?

Los puertos conectados a otros dispositivos de conmutacin tienen una multitud de direcciones MAC
aprendidas para ese nico puerto. Limitar la cantidad de direcciones MAC que se pueden aprender
en estos puertos puede afectar significativamente la funcionalidad de la red.

Step 2: Verify port security.

On SW-A, issue the show port-security interface fa0/1 command to verify that port security
has been configured.

Step 3: Disable unused ports.

Disable all ports that are currently unused.

Step 4: Check results.

Your completion percentage should be 100%. Click Check Results to see feedback and
verification of which required components have been completed.